RARE user and assistance email list

[mc36 <>]

hi,
with this commit, one can configure a list of allowed/forbidden urls:
https://github.com/mc36/freeRouter/commit/36a59fba922cc10fe884fcb686478325b6be436e
freerouter will delay then the offloading of a session to the dataplanes,
and parse the first some packets at layer7 to decide if it's allowed or not...
currently http.host and tls.sni are supported, but it's not too hard to add
other protocols too... attaching a screenshot showing it in action...
regards,
cs



On 2/11/22 10:14, mc36 wrote:
> hi,
> with this commit, we're able to build a stateful firewall from tofino:
> https://github.com/mc36/freeRouter/commit/9553ecc6ad807a13d7b25b4624c52a1e8d584b1b
> now i'm retesting everything, then will push the stuff to bitbucket and so 
> on...
> then i'll have to create a sample profile for that and it's there....
> regards,
> cs
>
>
>
> On 2/11/22 08:45, mc36 wrote:
> > hi,
>> the reflexive acl (the extra punt mode) just arrived to the tofino 
codebase...
> > https://github.com/mc36/freeRouter/commit/d9de70637b62e5bc7d47468367e916ccdabde8bf
> > after some more ig_ctl main packet processing reorderings, it passed all the 
> > tests...
> > i was thinking about the extra stage requirement and i have an idea, but 
> > yeahhh,
> > we really should consider the p4insight license for gn5 to ease the work....
> > thanks,
> > cs
> >
> >
> >
> > On 2/10/22 16:21, mc36 wrote:
> > > hi,
> > > this is a bigger, but needed preparation/refactoring step to the tofino code:
> > > https://github.com/mc36/freeRouter/commit/a935c4fd1d9d5b21988cc57fda4810ff957aed88
> > > basically the nexthop/vlanout, outacl, outqos functional was moved a level 
> > > upper,
> > > so for now, it's right before where the decision is made if it's for the 
> > > cpuport
> > > or to an external port... it was necessary since the outacl need to be able 
> > > to punt...
> > > right now all the tests passed on this codebase... the next step will be to 
> > > introduce
> > > the punt in in/out acl to tna, then the racl tests, then the inspection code 
> > > will be
> > > copyed from the bmv2 counterparts....
> > > regards,
> > > cs
> > >
> > >
> > > On 2/10/22 10:21, mc36 wrote:
> > > > hi,
> > > > with this smaller change,
> > > > https://github.com/mc36/freeRouter/commit/dddffab433a17491802daf818308b7fbc8ea0e30
> > > > the bmv2 p4 dataplane got the firewall feature, and just passed all the tests
> > > > (including the new ones for inspection) tofino will be a bigger piece of hack
> > > > because i'll have to rework the whole ig_ctrl a bit...
> > > > regards,
> > > > cs
> > > >
> > > >
> > > > On 2/9/22 20:44, mc36 wrote:
> > > > > hi,
> > > > > it was a bigger change to have everything in place but fortunately the 
> > > > > forwarder part
> > > > > only got a very small amount, and at an already protected place so if not 
> > > > > activated,
> > > > > this feature does not consume cpu... :)
> > > > > https://github.com/mc36/freeRouter/commit/09cecfd74af9298adc6cbefafc70b30d380b7a5f
> > > > > next steps will be to cover it with tests and then bmv2 and finally tofino 
> > > > > dataplanes....
> > > > > regards,
> > > > > cs
> > > > >
> > > > >
> > > > > On 2/9/22 06:37, mc36 wrote:
> > > > > > hi,
> > > > > > here are some more fixes to the acl export and the poc for bmv2...
> > > > > > https://github.com/mc36/freeRouter/commit/c6c22bada52209759197736aaceed80ffe063878
> > > > > > after a quick check on the tofino code, it uses a bit different pre-tm 
> > > > > > processing
> > > > > > logic to gain stages which needs reworking to be able to punt from outacl
> > > > > > (inacl is feasible with < 10 loc), but i badly want to have something,
> > > > > > so for now, i abandon the multi-tbps firewall idea for a while and i'll
> > > > > > concentrate on the dpdk and the bmv2 stuff (i'll check back for it later
> > > > > > when i clearly see what need to be changed in the bmv2 stuff) and will
> > > > > > progress to export the session table and use the freshly introduced punt
> > > > > > knob of ace to get the new ones... after a quick feasibility check, it
> > > > > > should be easy-peasy, but we'll see... :)
> > > > > > regards,
> > > > > > cs
> > > > > >
> > > > > >
> > > > > > On 2/8/22 11:45, mc36 wrote:
> > > > > > > hi,
> > > > > > > yesterday i had a nice chat with a guy and he asked the right questions and 
> > > > > > > then he allowed to use him as rubber-duck-debugger,
> > > > > > > so i got the idea, what if we introduce a new ace mode called 'punt' (while 
> > > > > > > keeping the existing deny/permit)...
> > > > > > > then we'll have reflexive acls, but this punt functionality, later could be 
> > > > > > > used (if programmed automatically) to do inspection...
> > > > > > > then, we can delay the programming of the inspect rules until we saw the 
> > > > > > > tlc.sni to do domain based filtering, if needed...
> > > > > > > here is the proof-of-concept on dpdk, plus the export capability to 
> > > > > > > freerouter:
> > > > > > > https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
> > > > > > > and the fixes needed to pass the testcase for racl:
> > > > > > > https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
> > > > > > > it's racl so it'll go to tcam (and linearly searched in dpdk) but the concept 
> > > > > > > seems to work,
> > > > > > > and the inspect sessions will be all-exact matches, that is, they'll consume 
> > > > > > > sram (and binary search in dpdk) like the nat rules...
> > > > > > > next steps will be the bmv2 and tofino codebase to have the 'punt' 
> > > > > > > functionality, then i'll proceed with the inspection....
> > > > > > > until that, try to imagine the wedge as a stateful firewall... :))
> > > > > > > regards,
> > > > > > > cs
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#168): https://groups.io/g/freertr/message/168
> Mute This Topic: https://groups.io/mt/88993653/6006518
> Group Owner: 
> Unsubscribe: https://groups.io/g/freertr/unsub []
> -=-=-=-=-=-=-=-=-=-=-=-

Attachment: 2022-02-13-100227_1920x1080_scrot.png
Description: PNG image